The attacker behind the data breach impacting several school boards across the Greater Toronto Area and abroad may have gotten access to staff and students’ personal and sensitive information, PowerSchool says.
In a letter to parents on Wednesday, the Toronto District School Board (TDSB) notified families of a “cyber incident” after an application they use called PowerSchool was breached over the holiday break.
Here is what you need about the breach:
Which boards were impacted
Various school boards across the province use this application to store student information and some school-based staff information. The Office of the Information and Privacy Commissioner of Ontario says the Toronto, Peel, York, Thunder Bay, Lakehead, Brant Haldimand Norfolk Catholic, Near North, Northwest Catholic, Northeastern Catholic and Rainy River district school boards have notified them of the cybersecurity incident.
Durham District School Board also notified families they have been impacted by the data breach, but the commissioner’s office says they have not been notified by that board at this time.
“The possibility that the sensitive personal information of students and staff has been exposed is very troubling. While public institutions like schools and school boards can outsource services to third-party vendors, they cannot outsource accountability for protecting personal information,” the Office of the Information and Privacy Commissioner wrote in an emailed statement.
Given that they are still investigating the cybersecurity incident, the commissioner’s office could not share additional details at this time.
How did the hackers access the information
In a technical briefing on Thursday, Mishka McCowan, PowerSource’s Chief Information Security Officer, said the unauthorized actor was able to hack into PowerSchool through compromised credentials on PowerSource.
“It is very clear that there were two actions taken by the attacker,” McCowan said. “First, was to simply log in from PowerSource into the individual (Student Information System). Second, was to download the content of the student and teacher tables.”
What information might have been compromised
A PowerSchool spokesperson says via email that the tables that were the subject of the breach primarily include contact information, like names and addresses for families and educators.
“For a certain subset of customers, these tables may also include Social Security Number (SSN), other Personally Identifiable Information (PII), and limited medical and grade information,” the statement reads. McCowan says not all school boards log sensitive information like Social Insurance Numbers, with that kind of data logged varying school board-by-school board.
The impacted school boards said Wednesday that they have received confirmation that whatever data the unauthorized user accessed has been deleted and that no copies of that information were disseminated online.
“PowerSchool has taken all appropriate steps to prevent the data involved from further unauthorized misuse and does not anticipate the data being shared or made public,” PowerSchool’s spokesperson says.
PowerSchool says it engaged its cybersecurity response protocols and mobilized a cross-functional response team, including third-party cybersecurity experts from CrowdStrike and senior leadership members. The TDSB, DDSB and PDSB say they have contacted the Information and Privacy Commissioner of Ontario.
“Once we identified what account was being used, and there’ll be more on that later, be patient on that, we identified and moved access, we shut down that account,” McCowan said during Thursday’s technical briefing. “Out of an abundance of caution, we reset the passwords for all PowerSchool employees in that PowerSource system.”
They also restricted the compromised account’s access to the affected portal.
“We are still working through our detailed data review for each of the impacted customers,” PowerSchool’s spokesperson says.
How many families were impacted
It is unclear at this time just how many school boards have been impacted by this data breach, however other school boards across Canada were also hit by PowerSchool’s cybersecurity incident.
Mark Racine, a security consultant for school boards and co-founder of RootED solutions, told CP24 in an interview that it is reasonable to say millions of students were impacted.
“PowerSchool we do know that they serve 60 million students worldwide. But we know that this attack didn’t impact all of their products and it certainly didn’t impact all of their customers,” Racine said.